Upgrading a TrueCrypt-protected system to Windows 10

I have protected my (Windows 7) development computer’s system volume with Truecrypt and pre-boot authentication. To upgrade a system like this to Windows 10 when it is offered to you, is almost as easy as any other system, but you need to plan ahead! Here’s a really easy how-to.

The challenge lies in the fact that Truecrypt (and, for that matter, forks of it like VeraCrypt or CipherShed) modifies the boot sector to present you with that pre-boot authentication screen before loading the operating system (Windows).

What is wrong with that then?

If you upgrade to Windows 10, the upgrade process will modify that same boot sector to install the Windows 10 boot loader and that will overwrite the Truecrypt version. Because Truecrypt works so transparently, all will appear fine during the upgrade right up until the point that you reboot. The new Windows 10 boot loader will almost immediately get stuck because the rest of the disk is encrypted and the decryption code has just been removed. You’re in trouble then. There could be a way to still fix it but to do so, you need to still have that burned disc with the header backup you created — you did, didn’t you — when first applying system encryption. I am not going into that, because if you follow these steps, you won’t need to.

Upgrading, the proper way

In fact, there is only one thing really important: Before starting the upgrade process, first fully decrypt your system volume! Do not worry, decryption is possible in-place, and you can re-encrypt it after the upgrade. Also, if you have any secondary volumes encrypted (using system favorites), you do not need to decrypt those unless they are absolutely necessary for your boot process. That is fortunate, because there is no way to in-place decrypt secondary volumes like there is for system volumes. In my case, I had database files and virtual machines stored there, but I could live with SQL server or VMWare failing to start a couple of times while upgrading so I decided to leave the secondary volume alone.

Start TrueCrypt

Click the System menu and select Permanently Decrypt System Partition/Drive

Confirm a couple of times that you know what you are doing.

TrueCrypt will start to decrypt the system drive. This may take up to a couple of hours, depending on the size of your disk and the speed of your system. You could leave that running in the background and go do something else on the system, but it is quicker if you leave your system alone while it is decrypting. Also, if you’re on a laptop make sure it’s plugged in. You would not want it to run out of battery half-way through. But the same would go for the Windows 10 upgrade anyway.

Once done, TrueCrypt will tell you to reboot, so do that.

Reboot your system

You will notice you do not need to enter your password at boot this time.

At this point you’re ready to upgrade. You do not need to uninstall the TrueCrypt software from your system. It should, and at least in my case it did, happily survive the upgrade from Windows 7 to Windows 10.

Now, start your Windows 10 upgrade. I will not go into details about that, there’s enough on that subject elsewhere.

After the upgrade is complete and you’ve successfully booted into your Windows 10 desktop and verified that everything is working as it should, you can simply re-encrypt your system volume.

Start TrueCrypt

Click the System menu and select Encrypt System Partition/Drive

Complete the encryption process like you did when originally encrypting. (Don’t forget to create a new rescue disc.)

Important to note that if you had secondary encrypted volumes that you mounted as system favorites, you need to choose the same password as you had originally, because system favorites rely on those passwords being identical. If there are no system favorites, you are free to choose a new password.

Once the encryption is complete, if there were secondary volumes, you will need to mount them and re-add them to the system favorites.

That’s all! (Obvious disclaimer: of course, do all this is at your own risk.)

Advertenties

Share this:

Vind ik leuk:

Gerelateerd

Over ShiftkeyI am Maarten, owner of and chief software developer for Shiftkey software development from The Netherlands. I will be writing mainly about things I run into when programming in C# or Delphi.

I’ve been able to do an in-place upgrade of Windows 7 to Windows 10 CU (1703) by inject the truecrypt driver during the setup. The setup.exe on the WIndows 10 CU media supports the command line /ReflectDrivers to use encryption drivers during the upgrade. I had to create a proper inf file for the truecrypt driver (.sys) with accompanying cat file, but it worked.